Is there any reason to give people sudo for /usr/bin/passwd at all?
If not you can just say !/usr/bin/passwd. You can also use shell-style
wildcards. Beware, however, that if you are saying something like:
username machine=ALL, !/usr/bin/passwd
the user will be able to get around the '!/usr/bin/passwd' if he/she
really wants to via a root shell or copying the passwd program to
another name.
- todd